Skip to content
This repository has been archived by the owner on Jun 19, 2022. It is now read-only.

Authentication check: additional k8s Event check for Secret absence in source #2014

Merged
merged 3 commits into from
Dec 23, 2020
Merged

Authentication check: additional k8s Event check for Secret absence in source #2014

merged 3 commits into from
Dec 23, 2020

Conversation

grac3gao-zz
Copy link
Contributor

@grac3gao-zz grac3gao-zz commented Dec 22, 2020
edited by Harwayne
Loading

Fixes #

PRs to add the authentication check:

  1. Environment variable to differentiate authentication mode
  2. Authentication check running inside the Pod (left part: Pods using kncloudevent library like Ingress)
  3. Additional k8s Event check for Secret absence in source(<-this PR)

Proposed Changes

  • If deployment has minimal replica unavailable error and it is secret mode, check k8s event to see if it is caused by secret absence.
  • Remark upper-level source with authentication related Reason and Message.

Release Note

馃巵 Authentication check: additional k8s Event check for Secret absence

@google-cla google-cla bot added the cla: yes (override cla status due to multiple authors bug) label Dec 22, 2020
@knative-prow-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grac3gao

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@grac3gao-zz grac3gao-zz changed the title Authentication check: additional k8s Event check for Secret absence Authentication check: additional k8s Event check for Secret absence in source Dec 22, 2020
Harwayne
Harwayne reviewed Dec 23, 2020
View reviewed changes
pkg/reconciler/intevents/pullsubscription/static/pullsubscription.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/list.go Outdated Show resolved Hide resolved
pkg/utils/authcheck/list.go Outdated
@@ -65,3 +94,17 @@ func GetTerminationLogFromPodList(pl *corev1.PodList) string {
func isAuthMessage(message string) bool {
return strings.Contains(message, authMessage)
}

// isWarningMessage checks if the message is for a specific secret's failure.
func isWarningMessage(message, namespace string, secret *corev1.SecretKeySelector) bool {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
func isWarningMessage(message, namespace string, secret *corev1.SecretKeySelector) bool {
func isSecretMountFailureMessage(message, namespace string, secret *corev1.SecretKeySelector) bool {

Copy link
Contributor Author

@grac3gao-zz grac3gao-zz Dec 23, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This function checks message for two cases: key is absent, and secret is absent. The k8s Event Reason for those two case are different. For key is absent, the reason is just Failed, for secret is absent, the reason is FailedMount. So I think case key is absent is not strictly a secretMountFailure case. If you don't mind, I'll change it to isSecretFailureMessage.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM. I found the isWarningMessage name to be misleading, isSecretFailureMessage is much clearer.

@knative-metrics-robot
Copy link

The following is the coverage report on the affected files.
Say /test pull-google-knative-gcp-go-coverage to re-run this coverage report

File Old Coverage New Coverage Delta
pkg/reconciler/intevents/pullsubscription/keda/pullsubscription.go 64.0% 73.3% 9.3
pkg/reconciler/intevents/pullsubscription/static/pullsubscription.go 70.0% 86.2% 16.2
pkg/utils/authcheck/list.go 84.6% 83.3% -1.3

Harwayne
Harwayne reviewed Dec 23, 2020
View reviewed changes
Copy link
Contributor

@Harwayne Harwayne left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/hold

Holding in case @AlexandraRoatis has any additional comments.

@AlexandraRoatis
Copy link
Contributor

/lgtm

@knative-prow-robot knative-prow-robot merged commit e3c4cee into google:master Dec 23, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Harwayne Harwayne Harwayne left review comments

@AlexandraRoatis AlexandraRoatis AlexandraRoatis left review comments

@grantr grantr Awaiting requested review from grantr

Assignees

@Harwayne Harwayne

@AlexandraRoatis AlexandraRoatis

Labels
approved cla: yes (override cla status due to multiple authors bug) lgtm size/XL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@grac3gao-zz @knative-prow-robot @knative-metrics-robot @AlexandraRoatis @Harwayne @grac3gao